How India Inc is losing its cybersecurity war

Mumbai’s top cybercop Brijesh Singh has his hands full these days. With increasing cybercrime, including a rising tide of corporate cyber incidents, there’s no respite for the Maharashtra Police cybercrime team that the suave 1996 batch IPS officer leads. Recently Singh’s crack team solved a host of high-profile cases including the Reliance Jio Infocomm unauthorised data access case and Game of Thrones leak.

“We end up getting at least three-four corporate cybercrime cases in a week. Earlier the corporates wouldn’t come forward to disclose cyber incidents, but now we see them coming forward to lodge complaints and work closely with the police department to help solve the cases,” said Singh, special IG-cyber, Maharashtra Police.

With each passing day, cyberspace is becoming a new frontier for corporates.

Globally, in the past few days, Equifax breach exposed personal information of 145 million US customers, Yahoo acknowledged three billion email accounts were breached in 2013 attack and accounting firm Deloitte, which incidentally runs a large cyber practice, was also hacked.

The industry bigwigs have started sounding warning bells. Tech visionary Larry Ellison said last week, “Make no mistake: it’s a war. We have to reprioritise and rethink about how we defend our information.”

In such a milieu, the situation is not different in India. In the past few months, two of India’s top private banks, a top telecom company, a top media company and a stock exchange have all been victims of major cyberattacks or cyberthefts, and ransomware Wannacry and Petya infected thousands of companies. “The attacks which are publicly known are only a miniscule number.

We are only looking at the surface; no one know what’s going on in the background and even the companies are not aware of threats lurking in their system,” said Altaf Halde, managing director, Kaspersky Lab (South Asia).

Given the lack of any regulations regarding disclosure – except in financial services where it is mandated by the Reserve Bank of India – companies hit by cybercrime hide the incidents even in cases where customers have been impacted. So the true extent of impact on India Inc never comes out.

Cyber experts say what makes Indian industry vulnerable is changing threat profile due to resource rich nation states now targeting companies.

Increasingly there is evidence that critical national infrastructure is being probed by cyber agents from other nation states. A few years ago, US intelligence agency NSA had picked up the trend of Chinese hackers targeting Indian pharmaceutical and IT companies and even discussed specific inputs with companies.

In a recent attack, cybercriminals suspected to be based out of China managed to break into two of India’s most prominent information technology firms. While one of the companies detected the cyberattack on its servers within hours and was able to stop any data breach, the other IT firm could only spot the intrusion only a week later. “Since 2012, international countries which have economic interests in India have been silently active. There is a sectoral penetration which is real and we are not as ready as one would expect. We believe sectors like IT, pharma, chemicals, defence and energy are in their crosshairs,” said Sivarama Krishnan, partner advisory cybersecurity, PwC.

The nation state cyberthreat is becoming very real. A defence contractor was compromised recently after an employee downloaded excel sheets containing malicious code from an Indonesian institute.

During investigations it was found out that Pakistani intelligence agencies were quietly pulling out data from the contractors’ systems. The North Korean hacking group known as Lazarus was likely behind a recent cyber campaign targeting organisations across multiple countries and some Indian banks were hit too.

In sectors where competitive intensity is high, cyber criminals now operate with both espionage and criminal intent. In the past cyber criminals focused on stealing information and threatening corporates but now they are weaponising software by installing malicious scripts and disrupting work.

Two Indian conglomerates were forced to pay $5 million each in order to prevent hackers from disclosing information that outed their wrongdoings. The cyber criminals patiently accessed the IT systems for two to three years before they acted on it.

In yet another cyberattack, hackers seized control of computers at three banks and a pharmaceutical company, and then demanded a ransom in bitcoins for the decryption keys to unfreeze them. The attackers accessed the system by compromising IT administrators’ computers. In all four cases, the hackers are said to have used the Lechiffre ransomware. Cyber hackers breached Union Bank of India security systems but the money trail was traced and the movement of funds was blocked.

Given the nature and scale of threat, Indian companies are not investing enough in security. For example, global banks spend up to 15% of their IT spends on IT but in India it’s hardly 2-3% of the IT security budget.

But now senior managements have started taking notice given the loss potential and also the reputational risk. “We have to think security first along with digital first.

In every senior management meetings, the security issue is being brought up given the high risks involved,” said Joydeep Dutta, group chief technology officer at Central Depository Services India Limited.

Even when the large companies beef up security, though, the vendor or distributor base down the chain remains vulnerable and the entire ecosystem is at risk. In the Reliance Jio case, for instance, a vendor based in Rajasthan had built an interface on top of the company database that allowed some people to access their details from the company’s database. A lot of Aadhaar leaks are similar, according to experts. Some personal data can be accessed through different users but the biometric database and other key data remains safe. “We are sitting on a time bomb. Companies are not looking at the entire ecosystem,” said Krishnan.

One reason for Indian companies getting affected in cyberattacks is the rampant use unlicensed software and, in some cases, underpaid licences, which make them sitting ducks.

Lately, there has been a spike in cases where the protectors turned into perpetrators.

Increasingly, the IT maintenance, operations and support ecosystem is becoming a key area of vulnerability due to multiple levels of outsourcing dictated by cost compulsions. A Delhi-based FMCG company found out a disgruntled vendor employee used an admin password to create a false trail of evidence to implicate the company IT senior who wouldn’t hire him on company rolls. Just that he used his own desktop to log into IT manager’s mail and that combined with TV camera evidence was used to nail him.

In another case, pertaining to a tower company, an IT admin figured out how banking switching system and company’s ERP software recorded financial transactions. He changed the bank account number and IFSC code using admin login and transferred Rs 4 crore in small value transactions to his account. A worried supplier, who couldn’t reconcile his accounts, complained to the CEO and finally the employee was caught.

Using cyber tools for espionage is fast becoming common. In a family feud between two brothers who inherited a large fabric manufacturing business and later branched out on their own, the elder brother decided to target the better off younger brother. Using cyber assets he started disrupting the younger brother’s business.

Suddenly systems would be unavailable, suppliers and customers wouldn’t get important communication and designs were being lifted, till the younger one ordered a forensic investigation.

In investigations a key trend that’s emerging is that a big part of the problem is lack of understanding of security risks among senior management and their attendant staff.

A phishing exercise carried out by PwC for senior management of a large bank found out that more than 80% of secretarial staff fell for the bait compromising the system. Hackers targeted an MNC CEO by finding out details about his secretary from social media and then sent her a mail with malicious code that discussed her boss’ upcoming travel plans. The secretary opened the attachment compromising the CEO’s account.

Hacking companies is now easier than ever before. “The cost of entry into cybercrime is very low and there are lots of online tools available. One doesn’t even need to go out to learn hacking; there are YouTube videos giving step-by-step tutorials. Also, the fact that online world gives a person a certain sense of anonymity, which people find empowering,” said Singh of Maharashtra Police.

To compound the woes of the corporates, the outdated regulations are not helping.

“In the Indian IT Act financial fraud is a bailable offence. Criminals are not afraid because the penalties are small. After 2008, the Act has not been amended, so the regulations are not keeping pace with the changing cyber scenario,” said Mukesh Choudhary, founder of Cyberops Infosec.

Indian employees are particularly susceptible with large-scale adoption of smartphones, cheap data rates and a habit of downloading all sorts of apps. Recently, cyber criminals uploaded an app at Google Play that gave people tips and tricks to find more Pokemons, and subsequently a lot of people ended up infecting their phones.

With the whole Bring Your Own Device or BYOD trend catching on, IT managers have been struggling with the security aspect. In a large pharma firm, the head of research’s laptop was infected by hackers from an enemy nation and for two and a half years they gleaned all company and personal information from the personal laptop. “Mobile is the most vulnerable but gets least attention by the corporates” said PwC’s Krishnan.

So is the cybersecurity problem any closer to being solved? Numbers reveal a disturbing trend. According to the McAfee report, new malware samples leaped 67% to 52 million, new ransomware samples increased 54% to 10.7 million samples and total mobile malware grew 61% in the past four quarters to 18.4 million samples. Looks like Singh and his team are staring at a busy season ahead.